SlideShare a Scribd company logo

OAuth2 primer

Manish Pandit, profile picture
Manish Pandit

This document provides an overview of OAuth2 as an authorization standard. It describes the key concepts in OAuth2 including the resource owner, client, authorization server, access tokens, refresh tokens, and different grant types (authorization code, implicit, resource owner password, client credentials). It provides examples of OAuth2 flows and demonstrates some implementations.

Technology
Related topics:
API Security Insights
1 of 35
Downloaded 28 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
OAuth2 Primer Manish Pandit 03/19/2018
OAuth2 primer
OAuth2 primer
OAuth2 primer
OAuth Primer The Need OAuth as a Standard OAuth in Practice
Identity and Authorization I want TurboTax to pull my trades from Fidelity
But... I do not want to give my Fidelity password to TurboTax I do not want TurboTax to pull anything other than trades I want the ability to revoke TurboTax’s access to my Fidelity Account
So.. Access Keys Whitelisting HTTP Basic Screen Scraping with stored credentials Wide open access/No authorization
And there is more.. Mobile IoT Devices Service to Service Client-Server Applications Rich Client Applications
Need for.. A secure standard for access authorization without the password leaving the site where the protected data is. Short-lived tokens in lieu of passwords to access information. A standard that works across all the API access patterns.
OAuth2 primer
OAuth 2.0 OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. (Wikipedia) OAuth 2.0 relies on HTTP over TLS OAuth is an authorization protocol, and NOT an authentication protocol. * I still have bad dreams about OAuth 1.0 and 1.0a
..and many, many more!
Coming soon..
Terminology The OAuth spec outlines the basic terms that build upon the standard. ● Resource Owner ● Resource Server ● Client ● Authorization Server
Connecting the dots Resource Owner is the user whose resources (data) exists on a Resource Server. The Resource Owner grants access to a Client to access these resources, by authorizing access to those resources on an Authorization Server where his identity exists and can be authenticated. The Client then gets credentials from the Authorization Server that can be used on the Resource Owner’s behalf to access the resources on the Resource Server.
Authorization Examples A Twitter desktop client posting tweets on your behalf MyFitnessPal getting your Step Count from your Fitbit Account Turbotax getting your trades from your Fidelity Account Instacart Servers calling Marqeta’s API Facebook iOS app accessing your Facebook account Single Page App (RCA) accessing your News Aggregator
OAuth 2.0 Constructs Client ID Client Secret Scope Grant Type Access Token Refresh Token
Client ID and Client Secret Identify the client which could be an web application, a single page app, a native mobile app, or a server
Grant Type Steps that define the authorization protocol, resulting in an access token.
Access Tokens Short lived (hours, days, weeks, months?), bearer tokens that the client can use to act on behalf of the resource owner.
Refresh Tokens Long lived tokens, used to request a new access token upon expiry of the current one, without Resource Owner intervention.
Scope Scopes define the which resources can be accessed by the client using the access token. Scopes can be sliced and diced in many ways - Read vs. Write, Functionality based, Default, etc. Be careful defining them - you’ll end up with an LDAP ACLs. Scopes <> ACL.
Authorization Code Grant For client/server web applications, also known as delegated authentication. Also known as 3-legged OAuth. Quiz - Guess the 3 legs
Authorization Code Grant Flow 1. The client redirects the resource owner to the authorization server by passing in the response_type=code, redirect_uri, scope, and client_id. 2. The authorization server asks the resource owner for his credentials, MFA may be performed here. 3. The authorization server asks the resource owner to pick scopes that the client will be authorized for. 4. Upon the resource owner granting access, the authorization server sends a short lived authorization code to the redirect_uri 5. The client uses this authorization code to do a POST on the authorization server, passing in client_id, client_secret, and grant_type=authorization_code. 6. The client receives a refresh token and and access token.
Demo – CapitalOne Rewards
Implicit Grant For Single Page Apps, or Desktop Clients, or Browser Extensions.. There is no client_secret since the client cannot keep the secret. A simplified version of Authorization Code Grant. A refresh token is not returned in the response. Never, ever used in Financial Systems.
Implicit Grant Flow 1. Client redirects the resource owner to the authorization URL same as Authorization Code Flow, except response_type is token (vs. code), and grant_type is not passed. 2. Upon the access being granted by the resource owner, an Access Token is provided to the client.
Resource Owner Password Grant For fully trusted clients, like Native Mobile Apps provided by the Resource Server who is also the Identity Server. The only grant type where a user’s credentials are passed in the token request. Also known as Password Grant
Resource Owner Password Grant Flow 1. Client sends request to the Authorization server as a POST with grant_type=password, client_id, client_secret, scope, username, and password. 2. The Authorization Server responds with an access token and a refresh token.
Client Credentials Grant For server to service, or machine to machine, or service to service call. There is no identity involved. Also known as 2-legged OAuth. A refresh token is not returned. Simplest of all grant types. Additional security via whitelisting and firewalling can be implemented.
Client Credentials Grant Flow 1. Client sends a POST request to the authorization server with client_id, client_secret, grant_type=client_credentials and scope. 2. Authorization server returns an access token to the client.
Demo – CapitalOne Credit Offers
Source: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
References The OAuth2 Spec, RFC 6749 https://tools.ietf.org/html/rfc6749 The OAuth Bible http://oauthbible.com/ A Guide to OAuth2 Grant Types https://alexbilbie.com/guide-to-oauth-2-grants/

More Related Content

PDF
Introduction to OAuth2.0
Oracle Corporation
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
PPTX
The State of OAuth2
Aaron Parecki
 
PDF
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
PDF
Spring security oauth2
axykim00
 
PPTX
OAuth2 Presentaion
Bhargav Surimenu
 
PPTX
OAuth2 & OpenID Connect
Marcin Wolnik
 
PPTX
OAuth 2
ChrisWood262
 
Introduction to OAuth2.0
Oracle Corporation
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
The State of OAuth2
Aaron Parecki
 
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
Spring security oauth2
axykim00
 
OAuth2 Presentaion
Bhargav Surimenu
 
OAuth2 & OpenID Connect
Marcin Wolnik
 
OAuth 2
ChrisWood262
 

What's hot (20)

ODP
OAuth2 - Introduction
Knoldus Inc.
 
PPT
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
PPTX
An Introduction to OAuth 2
Aaron Parecki
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PDF
Implementing OAuth
leahculver
 
PDF
Intro to API Security with Oauth 2.0
Functional Imperative
 
PDF
OAuth - Open API Authentication
leahculver
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PPTX
Oauth 2.0
Manish Kumar Singh
 
PPTX
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
PPTX
(1) OAuth 2.0 Overview
anikristo
 
PPT
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
PPTX
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PPTX
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
OAuth2 - Introduction
Knoldus Inc.
 
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
An Introduction to OAuth 2
Aaron Parecki
 
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth2 + API Security
Amila Paranawithana
 
OAuth 2.0
Uwe Friedrichsen
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Implementing OAuth
leahculver
 
Intro to API Security with Oauth 2.0
Functional Imperative
 
OAuth - Open API Authentication
leahculver
 
An Introduction to OAuth2
Aaron Parecki
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Oauth 2.0
Manish Kumar Singh
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
(1) OAuth 2.0 Overview
anikristo
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
Ad

Similar to OAuth2 primer (20)

PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
PDF
OAuth 2.0 Misconceptions
Cory Forsyth
 
PPTX
Extended Security with WSO2 API Management Platform
WSO2
 
PDF
Lecture #25 : Oauth 2.0
Dr. Ramchandra Mangrulkar
 
PPTX
O auth
Ashok Kumar N
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
PPTX
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
PDF
OAuth2
SPARK MEDIA
 
PDF
Demystifying OAuth 2.0
Yury Roa
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
PPTX
O auth 2.0 authorization framework
John Temoty Roca
 
PPTX
OAuth
Tom Elrod
 
PDF
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
PDF
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
PDF
Oauth2.0 tutorial
HarikaReddy115
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
PPTX
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
PDF
O auth2.0 guide
Dilip Mohapatra
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
OAuth 2.0 Misconceptions
Cory Forsyth
 
Extended Security with WSO2 API Management Platform
WSO2
 
Lecture #25 : Oauth 2.0
Dr. Ramchandra Mangrulkar
 
O auth
Ashok Kumar N
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
OAuth2
SPARK MEDIA
 
Demystifying OAuth 2.0
Yury Roa
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
O auth 2.0 authorization framework
John Temoty Roca
 
OAuth
Tom Elrod
 
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
Oauth2.0 tutorial
HarikaReddy115
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
O auth2.0 guide
Dilip Mohapatra
 
Ad

More from Manish Pandit (20)

PDF
Disaster recovery - What, Why, and How
Manish Pandit
 
PDF
Serverless Architectures on AWS in practice - OSCON 2018
Manish Pandit
 
PDF
Disaster Recovery and Reliability
Manish Pandit
 
PDF
Immutable AWS Deployments with Packer and Jenkins
Manish Pandit
 
PDF
AWS Lambda with Serverless Framework and Java
Manish Pandit
 
PDF
AWS Primer and Quickstart
Manish Pandit
 
PDF
Silicon Valley 2014 - API Antipatterns
Manish Pandit
 
PDF
Scalabay - API Design Antipatterns
Manish Pandit
 
PDF
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
Manish Pandit
 
PPTX
API Design Antipatterns - APICon SF
Manish Pandit
 
PPTX
Motivation : it Matters
Manish Pandit
 
PPTX
Building Apis in Scala with Playframework2
Manish Pandit
 
PPTX
Scala at Netflix
Manish Pandit
 
PPT
Introducing Scala to your Ruby/Java Shop : My experiences at IGN
Manish Pandit
 
PPT
Evolving IGN’s New APIs with Scala
Manish Pandit
 
PPTX
IGN's V3 API
Manish Pandit
 
PPTX
Java and the JVM
Manish Pandit
 
PPTX
Object Oriented Programming
Manish Pandit
 
PPTX
Silicon Valley Code Camp 2011: Play! as you REST
Manish Pandit
 
PPTX
Silicon Valley Code Camp: 2011 Introduction to MongoDB
Manish Pandit
 
Disaster recovery - What, Why, and How
Manish Pandit
 
Serverless Architectures on AWS in practice - OSCON 2018
Manish Pandit
 
Disaster Recovery and Reliability
Manish Pandit
 
Immutable AWS Deployments with Packer and Jenkins
Manish Pandit
 
AWS Lambda with Serverless Framework and Java
Manish Pandit
 
AWS Primer and Quickstart
Manish Pandit
 
Silicon Valley 2014 - API Antipatterns
Manish Pandit
 
Scalabay - API Design Antipatterns
Manish Pandit
 
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
Manish Pandit
 
API Design Antipatterns - APICon SF
Manish Pandit
 
Motivation : it Matters
Manish Pandit
 
Building Apis in Scala with Playframework2
Manish Pandit
 
Scala at Netflix
Manish Pandit
 
Introducing Scala to your Ruby/Java Shop : My experiences at IGN
Manish Pandit
 
Evolving IGN’s New APIs with Scala
Manish Pandit
 
IGN's V3 API
Manish Pandit
 
Java and the JVM
Manish Pandit
 
Object Oriented Programming
Manish Pandit
 
Silicon Valley Code Camp 2011: Play! as you REST
Manish Pandit
 
Silicon Valley Code Camp: 2011 Introduction to MongoDB
Manish Pandit
 

Recently uploaded (20)

PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Encapsulation theory and applications.pdf
gurumoop
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
A Presentation on Artificial Intelligence
memembruh336
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

OAuth2 primer

  • 5. OAuth Primer The Need OAuth as a Standard OAuth in Practice
  • 6. Identity and Authorization I want TurboTax to pull my trades from Fidelity
  • 7. But... I do not want to give my Fidelity password to TurboTax I do not want TurboTax to pull anything other than trades I want the ability to revoke TurboTax’s access to my Fidelity Account
  • 8. So.. Access Keys Whitelisting HTTP Basic Screen Scraping with stored credentials Wide open access/No authorization
  • 9. And there is more.. Mobile IoT Devices Service to Service Client-Server Applications Rich Client Applications
  • 10. Need for.. A secure standard for access authorization without the password leaving the site where the protected data is. Short-lived tokens in lieu of passwords to access information. A standard that works across all the API access patterns.
  • 12. OAuth 2.0 OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. (Wikipedia) OAuth 2.0 relies on HTTP over TLS OAuth is an authorization protocol, and NOT an authentication protocol. * I still have bad dreams about OAuth 1.0 and 1.0a
  • 15. Terminology The OAuth spec outlines the basic terms that build upon the standard. ● Resource Owner ● Resource Server ● Client ● Authorization Server
  • 16. Connecting the dots Resource Owner is the user whose resources (data) exists on a Resource Server. The Resource Owner grants access to a Client to access these resources, by authorizing access to those resources on an Authorization Server where his identity exists and can be authenticated. The Client then gets credentials from the Authorization Server that can be used on the Resource Owner’s behalf to access the resources on the Resource Server.
  • 17. Authorization Examples A Twitter desktop client posting tweets on your behalf MyFitnessPal getting your Step Count from your Fitbit Account Turbotax getting your trades from your Fidelity Account Instacart Servers calling Marqeta’s API Facebook iOS app accessing your Facebook account Single Page App (RCA) accessing your News Aggregator
  • 18. OAuth 2.0 Constructs Client ID Client Secret Scope Grant Type Access Token Refresh Token
  • 19. Client ID and Client Secret Identify the client which could be an web application, a single page app, a native mobile app, or a server
  • 20. Grant Type Steps that define the authorization protocol, resulting in an access token.
  • 21. Access Tokens Short lived (hours, days, weeks, months?), bearer tokens that the client can use to act on behalf of the resource owner.
  • 22. Refresh Tokens Long lived tokens, used to request a new access token upon expiry of the current one, without Resource Owner intervention.
  • 23. Scope Scopes define the which resources can be accessed by the client using the access token. Scopes can be sliced and diced in many ways - Read vs. Write, Functionality based, Default, etc. Be careful defining them - you’ll end up with an LDAP ACLs. Scopes <> ACL.
  • 24. Authorization Code Grant For client/server web applications, also known as delegated authentication. Also known as 3-legged OAuth. Quiz - Guess the 3 legs
  • 25. Authorization Code Grant Flow 1. The client redirects the resource owner to the authorization server by passing in the response_type=code, redirect_uri, scope, and client_id. 2. The authorization server asks the resource owner for his credentials, MFA may be performed here. 3. The authorization server asks the resource owner to pick scopes that the client will be authorized for. 4. Upon the resource owner granting access, the authorization server sends a short lived authorization code to the redirect_uri 5. The client uses this authorization code to do a POST on the authorization server, passing in client_id, client_secret, and grant_type=authorization_code. 6. The client receives a refresh token and and access token.
  • 27. Implicit Grant For Single Page Apps, or Desktop Clients, or Browser Extensions.. There is no client_secret since the client cannot keep the secret. A simplified version of Authorization Code Grant. A refresh token is not returned in the response. Never, ever used in Financial Systems.
  • 28. Implicit Grant Flow 1. Client redirects the resource owner to the authorization URL same as Authorization Code Flow, except response_type is token (vs. code), and grant_type is not passed. 2. Upon the access being granted by the resource owner, an Access Token is provided to the client.
  • 29. Resource Owner Password Grant For fully trusted clients, like Native Mobile Apps provided by the Resource Server who is also the Identity Server. The only grant type where a user’s credentials are passed in the token request. Also known as Password Grant
  • 30. Resource Owner Password Grant Flow 1. Client sends request to the Authorization server as a POST with grant_type=password, client_id, client_secret, scope, username, and password. 2. The Authorization Server responds with an access token and a refresh token.
  • 31. Client Credentials Grant For server to service, or machine to machine, or service to service call. There is no identity involved. Also known as 2-legged OAuth. A refresh token is not returned. Simplest of all grant types. Additional security via whitelisting and firewalling can be implemented.
  • 32. Client Credentials Grant Flow 1. Client sends a POST request to the authorization server with client_id, client_secret, grant_type=client_credentials and scope. 2. Authorization server returns an access token to the client.
  • 33. Demo – CapitalOne Credit Offers
  • 35. References The OAuth2 Spec, RFC 6749 https://tools.ietf.org/html/rfc6749 The OAuth Bible http://oauthbible.com/ A Guide to OAuth2 Grant Types https://alexbilbie.com/guide-to-oauth-2-grants/